Rolling the master key online

John Devitofranceschi jdvf at optonline.net
Sat Sep 29 13:49:06 EDT 2018



> On Sep 29, 2018, at 11:33 AM, Greg Hudson <ghudson at MIT.EDU> wrote:
> 
> On 09/28/2018 07:24 AM, John Devitofranceschi wrote:
>> Are there any timing considerations when purging the old master key(s)?
>> I experienced some problems after following the documented procedure (kadmind/kpropd not working, tickets not being issued) which I think might have  been due running the ‘purge_mkeys' before the updated principals were propagated to the slaves after running the ‘update_princ_encryption’.
> 
> I was not aware of any issues like this.  Please send a bug report to krb5-bugs at mit.edu with as much details as you can reconstruct, including the krb5 versions running on the KDCs, specific error messages, and the sequence of operations performed.  I will see if I can figure out what might have gone wrong.

Will do.  Just following up on my experinces, when I repeated the process and made certain that all the slaves had the principal encryption updates, I had no problems at all. 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2393 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20180929/2095609a/attachment.bin


More information about the Kerberos mailing list